NUKEM [DBC]

Runit!

Da Breaker Crew

Download Programm: http://opensys.tsogu.ru/~analobin/runit.html

Download Tutorial: http://www.elitereverser.net

Tools:

Hexworkshop 2.54
W32Dasm 8.93
Upx 1.00

Easy [x ]___Medium [ ]___Hard [ ]

|
|

Protection

|
This small Application is protected by a NagScreen, and you`ll see the Adventure they we have with this little Nag. :-)

Also this little tool be packed by UPX.

Start Cracking

Ok first step we make to look where this tool be shared.
Ok this tool calls on every start a ugly NagScreen.
So fire up W32Dasm and disassemble Runit.exe
Ok the first i saw was that it be packed by UPX "look at the header"
So close your Disassembler and let us unpack it.
For better understanding put the Runit.exe on your Desktop.

I hope UPX is also located on your Desktop

- C:\windows\desktop\upx.exe
//the upx menue run
// type in
- C:\windows\desktop\upx.exe -d -k c:\windows\desktop\Runit.exe
// you say UPX it should ( -d ) = decompress
// and with ( -k ) to make a backup.

Ok leave UPX and load Runit.exe again in your disassembler.
Look into your string references , but it dont help , nothing interisted in it.
So we Debug Runit.

In the Menue of W32Dasm go to Debug and Load Process, type nothing in the textbox and hit the OK button.
Run Runit with hit F9 and turn to the Nag.
If you see the Nag hit F7 to step into and Terminate the Process.

* Possible StringData Ref from Data Obj ->"qMLV"

:00407875 6864ED4000 push 0040ED64
:0040787A E805B9FFFF call 00403184 <==-- calls the Nag
:0040787F 59 pop ecx
:00407880 59 pop ecx
:00407881 50 push eax
:00407882 FF35C8B54900 push dword ptr [0049B5C8]



* Reference To: USER32.MessageBoxA, Ord:0000h

:00407888 FF156CD54900 Call dword ptr [0049D56C]
:0040788E 56 push esi you will be land here
^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Reference To: KERNEL32.LocalFree, Ord:0000h

take the call and nope him.
:0040787A 90 nop
:0040787B 90 nop
:0040787C 90 nop
:0040787D 90 nop
:0040787E 90 nop

E805B9FFFF
9090909090

Save all and if you start Runit again you`ll see that the first nag be killed but an other pops up.
Please follow this engineering to terminate the other to.

Offset Crackdata Orginaldata

5B49 75 74
6C53 90 EB
6C55 909090 B9FFFF
6C7A 9090909090 E805B9FFFF

So check if you change the same bytes then i and if you ready, all nags be terminated :-)

Closing remark

Greets to: ploppy, Manycracker, Cypher, PlAyEr, +fravia, TRDonJuan, fREaKaZoiD, kOboLd666, Shockwave, uzZi, DYCUS, SiNa, WAHNS, Hamst, Calib, ErAzEr, VandalJax, penace, s@nDOk@n, Milhouse, Kylock, LYMERICFILE, figugegl, Unreal, Celitca Espania, wArGod, Rex][waR, Savatage, Mr.White[WkT], FuzzyCat, Alpha18, draXXter, BlackPanther, ..... and all i have forgotten.

on't even know them, but only to give a little info about the